Better protect against multiple nextserver commands.

Users could kill the server by sending multiple nextserver commands with crafted spawncount. (cherry picked from commit 318bf10)
res2k · Jan 2, 2025 · 26ca8ce · 26ca8ce
1 parent 2846687
commit 26ca8ce
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/server/server.h b/src/server/server.h
@@ -159,6 +159,7 @@ typedef struct server_entity_packed_s {
 typedef struct {
     server_state_t  state;      // precache commands are only valid during load
     int             spawncount; // random number generated each server spawn
+    bool            nextserver_pending;
 
     int         framerate;
     frametime_t frametime;

diff --git a/src/server/user.c b/src/server/user.c
@@ -600,7 +600,10 @@ static void SV_NextServer_f(void)
     if (Q_atoi(Cmd_Argv(1)) != sv.spawncount)
         return;     // leftover from last server
 
-    sv.spawncount ^= 1;     // make sure another doesn't sneak in
+    if (sv.nextserver_pending)
+        return;
+
+    sv.nextserver_pending = true;   // make sure another doesn't sneak in
 
     const char *v = Cvar_VariableString("nextserver");
     if (*v) {